Real-time reconfigurable web application firewall for a distributed platform

ABSTRACT

Some embodiments provide reconfigurable web application firewall (WAF) functionality across a distributed platform. Specifically, the WAF function at each distributed platform server is customizable on a per customer and per inbound message basis. When a server receives an inbound message, the server identities the content or services of which specific customer are implicated by the inbound message. The server screens the inbound message for attacks using a first set of rules and policies defined as part of a production profile from a WAF instance defined by the specific customer while contemporaneously testing the inbound message against a second set of rules and polices defined as part of an audit profile from the same WAF instance. In this manner, the specific customer tests the audit profile rules and policies while still receiving the protections of the production profile rules and policies.

CLAIM OF BENEFIT TO RELATED APPLICATIONS

This application is a continuation of U.S. nonprovisional applicationSer. No. 14/579,372 entitled “Real-Time Reconfigurable Web ApplicationFirewall For a Distributed Platform”, filed Dec. 22, 2014. The contentsof application Ser. No. 14/579,372 are hereby incorporated by reference.

BACKGROUND INFORMATION

Network accessible sites and providers of online services and contentare often subjected to malicious attacks. These attacks attempt tocompromise confidentiality, integrity, and availability of the site,service, or content. Attacks can be conducted in any number of ways.Structured query language (SQL) injections, server-side scripting, andapplication layer or distributed denial of service (DDOS) are examplesof a small set of attack methodologies.

Firewalls have proven to be effective defenses to many such attacks. Afirewall can be a hardware or software based security solution. Thefirewall can be configured with white-lists, black-lists, rules, andpolicies that detect potentially malicious data traffic from acceptabledata traffic. The firewall can also be configured to restrict detectedmalicious data traffic from entering or exiting a network or providealerts to notify an administrator of an attack.

However, many sites and service providers now offload the delivery oftheir content and services to a distributed platform, such as a contentdelivery network (CDN). FIG. 1 presents an exemplary distributedplatform architecture operating as a CDN. The CDN operates edge serversat different points-of-presence (PoPs) 110 that are often located atdifferent edges of the Internet or other large network infrastructure.The PoPs 110 are geographically separated from one another. Customersincluding network site operators, content providers, and serviceproviders interface with the CDN in order to specify configurations forthe content and services they want to offload to the CDN for delivery.The CDN passes the customer configurations to the PoP 110 servers. Inresponse, the PoP 110 servers obtain the customer content and servicesand deliver those content and services on behalf of the customers tousers in an optimized manner. Specifically, the servers of each PoP 110optimally serve the customer content and services to a set of users thatare geographically proximate to that PoP 110. Each PoP 110 furtherprovides redundancy to accommodate demand spikes and failover to providecontinuous service in the event of equipment or network failure.

In terms of protecting and insulating customers from malicious attacks,the CDN (i.e., distributed platform) faces many challenges. The firstchallenge is that an attack can be launched against any customer at anyof the PoPs 110. Firewall protection is therefore needed at each of thePoPs 110. The second challenge is that each PoP 110 simultaneously hostsand serves content and services of several different customers. Aone-size-fits-all firewall solution applying the same white-lists,black-lists, rules, and policies for all customers is impractical andsub-optimal for customers. Different customers will offer differentcontent and services from the same PoPs 110. Typically, these customerswill have differing requirements as to what is acceptable data thatshould be allowed through the CDN firewall and what is potentiallymalicious data that should be restricted at the CDN firewall. Moreover,different customers may want to handle malicious data differently.

Accordingly, there is a need for a distributed platform web applicationfirewall that insulates customer content and services from maliciousattacks at each distributed platform PoP. There is further a need foreach PoP to simultaneously support multiple firewall instances with eachfirewall instance providing different protections for differentdistributed platform customers. In other words, there is a need to alloweach distributed platform customer the ability to configure its ownprotections and have the distributed platform enforce the protectionsconfigured by each customer independently. There is further a need toallow customers to test new protections without compromising existingprotections that they have already configured.

BRIEF DESCRIPTION OF THE DRAWINGS

A preferred embodiment for a real-time reconfigurable web applicationfirewall for a distributed platform will now be described, by way ofexample only, with reference to the accompanying drawings in which:

FIG. 1 presents an exemplary distributed platform architecture operatingas a CDN.

FIG. 2 presents a process performed by a distributed platform PoP serverfor protecting assets of a particular customer according to one or moreWAF instances that the particular customer has specified and that havebeen entered to the server's operational configuration in accordancewith some embodiments.

FIG. 3 conceptually illustrates enforcing different customer WAFinstances across a distributed platform in accordance with someembodiments.

FIG. 4 illustrates a process for defining a WAF instance for aparticular customer in accordance with some embodiments.

FIG. 5 illustrates an interactive interface provided by the portal ofsome embodiments for enabling and disabling each threat detectioncategory from a rule set individually.

FIG. 6 presents an interface for enabling and disabling individual rulesassociated with the cross-scripting attack category in accordance withsome embodiments.

FIG. 7 illustrates an interface for specifying access controls inaccordance with some embodiments.

FIG. 8 illustrates an interface for specifying global settings inaccordance with some embodiments.

FIG. 9 illustrates an exemplary interface identifying a report for theperformance of a particular customer WAF instance.

FIG. 10 illustrates a computer system or server with which someembodiments are implemented.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

Some embodiments provide a real-time reconfigurable web applicationfirewall (WAF) for a distributed platform. The distributed platform WAFsecures assets, including content and services, of a plurality ofdifferent distributed platform customers at each of a plurality ofpoints-of-presence (PoPs) from which the distributed platform makes thecustomers' assets available for external or outside consumption. Thedistributed platform WAF protections are customized on a per customerbasis. Accordingly, when any distributed platform PoP server receives aninbound message that is directed to a particular customer's content orservices, that server screens the inbound message against rules andpolicies from a customer specific WAF instance that is defined by theimplicated particular customer.

The protections provided by each customer specific WAF instance arereconfigurable in a real-time basis, thereby allowing customers toimmediately respond and address security shortfalls. A customer candefine multiple profiles that the user can then enable or disable in areal-time basis as part of the customer WAF instance that thedistributed platform uses to secure assets of that customer across thedistributed platform PoPs. Each profile defines a different set offirewall rules and policies for identifying attacks embedded or passedas part of inbound messages passing to the distributed platform. As partof the customer specific WAF instance, the customer enables a firstdefined profile as a “production profile” and a second defined profileas an “audit profile”. The distributed platform simultaneously executesthe designated production profile and the designated audit profile froma customer WAF instance against the same set of inbound traffic. Insimultaneously executing the production profile and audit profileenabled as part of a particular customer WAF instance, the distributedplatform safeguards the particular customer's assets using theproduction profile set of rules and policies while contemporaneouslytesting the audit profile rules and policies without disabling orotherwise lifting any of the production profile protections. At anytime, the user can switch between the production profile and the auditprofile or select other profiles as the production and audit profileswith the changes propagating to the distributed platform PoP servers ina real-time basis.

In some embodiments, the WAF operation defined by the various customerWAF instances is incorporated as part of the content or service deliveryfunction of each distributed platform PoP server. Consequently, theservers perform the dual function of providing firewall protectionswhile also serving customer assets.

In some such embodiments, the servers derive their content or servicedelivery operation from an operational configuration. The operationalconfiguration defines the caching policies, eviction policies, andoptimizations, among other content or service delivery operationalcontrols, that a server of the distributed platform implements. In someembodiments, each customer defined WAF instance is entered into theserver operational configuration under a customer specific heading.

When a server identifies inbound traffic or messaging that is directedto a particular customer, the server queries its operationalconfiguration to identify if a WAF instance has been created by thatparticular customer. If not, the server passes the traffic throughwithout any protections. If a WAF instance has been created, the serverenforces the protections that the particular customer configured as partof the particular customer's WAF instance production profile while alsotesting the inbound traffic against any rules and policies defined aspart of the particular customer's WAF instance audit profile.

FIG. 2 presents a process 200 performed by a distributed platform PoPserver for protecting assets of a particular customer according to acustomer WAF instance that the particular customer has defined and thathas been entered to the server's operational configuration in accordancewith some embodiments. The process 200 commences with the serverreceiving (at 210) an inbound message from an external device. In someembodiments, the inbound message is any application layer message. Forexample, the inbound message can be a HyperText Transfer Protocol (HTTP)or HTTP secure (HTTPS) message used in requesting a service or contentfrom the distributed platform. A malicious attack can be embedded in theheader, payload, or metadata of the inbound message.

To secure the inbound message, the process identifies the propercustomer WAF instance to screen the inbound message. In order toidentify the proper customer WAF instance, the process 200 analyzes andextracts (at 220) a customer identifier from the inbound message. Thecustomer identifier identifies a distributed platform customer whoseassets are targeted by the inbound message. In some embodiments, thecustomer identifier is identified from a Uniform Resource Locator (URL)of the inbound message. In some such embodiments, the customeridentifier may be a value that is included as part of the URL path or anargument provided as part of a URL query string. In some embodiments,the customer identifier is identified from the content or servicetargeted by the inbound message. Certain filenames, script names, orapplication names can uniquely link to and identify specific customers.In some embodiments, the customer identifier is determined from theheader fields or payload of the inbound message.

The process queries (at 230) its operational configuration using thecustomer identifier. The query result identifies (at 240) whether thedistributed platform customer has defined a customer WAF instance toprotect its assets. In some embodiments, the query involves matching thecustomer identifier extracted from the inbound message to a customeridentifier entry within the server operational configuration.

If a matching entry is not found in the server operationalconfiguration, the process accepts (at 250) the inbound message, inwhich case it is passed to or further processed by a PoP server. In someembodiments, the system provides a basic set of protections for allusers even when a matching entry is not found in the server operationalconfiguration. In such cases, the process screens the inbound messageusing a set of system specified firewall rules and policies.

If a matching entry is found in the server operational configuration,the process determines (at 260) if an audit profile has been defined inaddition to a production profile. If only a production profile isspecified, the process screens (at 270) the inbound message for anyembedded attacks using the production profile rules and policies. Shouldthe inbound message contain an attack that is identified by one or moreof the production profile rules or policies, the process performs anaction. The action includes generating an alert or logging theviolation. The alert can identify any of the detected attack, theinbound message containing the attack, and the one or more rules orpolicies used in identifying the attack. Additionally, the action caninclude blocking the inbound message from further processing. The actionmay be specified for the production profile as a whole or specificallyfor the violated rule or policy such that different violated rules orpolicies cause the server to perform different actions. If an auditprofile is specified in addition to the production profile, the processreplicates (at 280) the inbound message and tests (at 290) the auditprofile rules and policies with the inbound message copy whilecontemporaneously protecting the customer's assets by enforcing (at 270)the production profile rules and policies against the original inboundmessage. Should the inbound message violate any of the audit profilerules or policies, the process provides an alert to notify the customeror security administrator. Alerts can be presented through a networkaccessible interface (i.e., dashboard) or other forms of communicationincluding email, text message, instant message, etc.

FIG. 3 conceptually illustrates enforcing different customer WAFinstances across a distributed platform in accordance with someembodiments. The figure illustrates a distributed platform architecturehaving at least two PoPs 310 and 320 at two geographic regions. Each PoP310 and 320 is shown with at least one server 315 and 325. Each PoPserver 315 and 325 operates according to an operational configuration330. The operational configuration 330 is modified to include at leasttwo customer WAF instances 350 and 355. Each customer WAF instance 350and 355 is defined with a production profile and an audit profile.Customer WAF instance 350 is defined to protect assets of a firstdistributed platform customer from attacks defined according to thecustomer WAF instance 350 production profile rules and policies.Customer WAF instance 355 is defined to protect assets of a seconddistributed platform customer from attacks defined according to thecustomer WAF instance 355 production profile rules and policies. Theaudit profile of each of the WAF instances 350 and 355 define additionalrules and policies that the corresponding customer wants to testcontemporaneously with the production profile rules and policies.

PoP server 315 is shown to receive a first inbound message from a firstuser 340 and a second inbound message from a second user 345. The PoPserver 315 determines that the first inbound message targets assets of afirst distributed platform customer and that the second inbound messagetargets assets of a second distributed platform customer. The PoP server315 then queries its operational configuration 330 to identify thatcustomer WAF instance 350 includes rules and policies of a productionprofile that specify firewall protections for the first distributedplatform customer assets and that customer WAF instance 355 includesrules and policies of a production profile that specify firewallprotections for the second distributed platform customer assets. Asnoted above, this identification can be performed by matching thecustomer identifier from each inbound message to a correspondingcustomer identifier identifying a customer WAF instance in theoperational configuration 330.

The PoP server 315 secures the first inbound message by identifying anyattacks therein using the firewall rules and policies from the firstcustomer WAF instance 350 production profile while using a copy of thesame first inbound message to test rules and policies of the firstcustomer WAF instance 350 audit profile. Similarly, the PoP server 315secures the second inbound message by identifying any attacks thereinusing the firewall rules and policies from the second customer WAFinstance 355 production profile while using a copy of the same secondinbound message to test rules and policies of the second customer WAFinstance 355 audit profile. As described above, the audit profilesprovide each of the customers a means with which to test new rules andpolicies against actual production traffic without lifting theprotections provided by rules and policies of the production profiles.

Depending on the defined rules and policies, securing the messages mayinclude performing any of protocol validation, malicious clientidentification, generic attack signature identification, knownvulnerabilities signature identification, Trojan or backdoor accessidentification, virus signature identification, or denial of serviceattacks detection. Additionally or alternatively, the rules and policiescan establish traffic restrictions to block traffic by Internet Protocol(IP) address, country, Uniform Resource Locator (URL), and/or referrer.

The production profiles further specify proactive or reactive actionsthat the server performs upon detecting a malicious attack. Proactiveactions can include blocking or restricting an inbound message thatcontains a potentially malicious attack as a result of violating one ofthe production profile rules or policies. Reactive actions can includeissuing an alert to the customer or an administrator when the inboundmessage contains a potentially malicious attack as a result of violatingone of the production profile rules or policies. As the audit profilesare used in testing new firewall rules and policies and not the activeprotection of customer assets, the audit profiles do not define anyproactive actions. Instead, the audit profiles define various reactiveactions that the server performs when an audit profile rule or policy isviolated.

In summary, the same PoP server 315 enforces different firewallprotections for two inbound messages according to which distributedplatform customer assets each inbound message targets. Moreover, the PoPserver 315 tests the rules and policies of the first customer WAFinstance 350 audit profile while contemporaneously protecting the firstcustomer's assets with the rules and policies of the first customer WAFinstance 350 production profile. Similarly, the PoP server 315 tests therules and policies of the second customer WAF instance 355 audit profilewhile contemporaneously protecting the second customer's assets with therules and policies of the second WAF instance 355 production profile.

The same production and audit profiles rules and policies are alsoenforced by servers at the other distributed platform PoP 320.Accordingly, the first and second distributed platform customers needonly specify their customer WAF instances once. The distributed platformautomatically incorporates those WAF instances to the operationalconfigurations of the distributed platform servers and automaticallydeploys those operational configurations to the distributed platformservers.

In some embodiments, the distributed platform includes a WAF securityoperations center (SOC) with which customers can define and configuretheir WAF instances and also view the performance of their WAF instancesincluding any alerts that were triggered. In some such embodiments, theWAF SOC provides an online interactive portal for customers to specifytheir WAF instances. A specific customer logs in to the portal. Oncelogged in, the customer can define the rules and policies foridentifying various attacks, associate the defined rules and policies toone or more profiles, and enable a first profile as the customer WAFinstance production profile and a second profile as the customer WAFinstance audit profile.

Customer created WAF instances are passed to a distributed platformconfiguration repository along with an identifier for the customer thatcreated the WAF instance. Upon receiving a customer created WAF instanceand customer identifier, the configuration repository updates theoperational configurations of the PoP servers to incorporate thecustomer created WAF instance. Specifically, the configurationrepository retrieves the operational configurations for the servers.Each operational configuration is then scanned to determine if a WAFinstance entry already exists for the customer. If so, the entry iseither replaced or updated with the newly created WAF instance.Otherwise, the configuration repository creates a new WAF instance entryfor the customer under a customer specific heading within theoperational configuration. The updated operational configuration is thenstored back to the configuration repository.

The configuration repository facilitates the real-time deployment of thecustomer WAF instances to the distributed platform PoP servers forenforcement. In some embodiments, the PoP servers are configured toperiodically check the repository for updates to their respectiveoperational configurations. The checks can be performed on a timed based(e.g., every minute) or whenever resource usage of the server dropsbelow a certain threshold. Alternatively, the repository can beconfigured to push updated configurations to the servers. The repositorycan push the configurations to the appropriate set of servers wheneverthe configurations are updated or on a periodic basis. As soon as aserver receives a configuration with a new or updated customer WAFinstance, the server begins to enforce the rules and policies associatedwith the customer WAF instance production profile. In this manner, thedistributed platform reconfigures the customer firewall protections inreal-time.

In some embodiments, the configuration repository can also enter globalrules or policies to all customer WAF instances, thereby ensuring thatthese global rules or policies are enforced for all distributed platformcustomers. Global rules or policies may be issued when a new attack thatis unknown to many customers is detected or when an attack affects alarge number of distributed platform customers. The global rules orpolicies temporarily protect customers from the attacks until thecustomers can formulate their own response strategy. Accordingly, aglobal rule or policy can be enforced for all customers for some periodof time or while the attack is ongoing. Thereafter, the global rule orpolicy can be removed from the customer WAF instances and customers candefine their own protections against the attack if desired. Alerts canbe issued in conjunction with a global rule or policy to notify thecustomers of the attack and automated action taken by the distributedplatform.

FIG. 4 illustrates a process 400 for defining a WAF instance for aparticular customer in accordance with some embodiments. Process 400 canbe used to create a new WAF instance or update an existing WAF instanceof the particular customer.

The process 400 first involves defining (at 410) or configuring one ormore firewall rules and policies. Each rule or policy definesexpressions, formatting, conditions, or values for identifying one ormore malicious attacks that a customer wants the distributed platformWAF to detect and take action against. Two or more rules can be groupedto create a rule set.

Each rule set contains one or more rules that identify specific types ofthreats within application layer traffic. Each rule set contains variousthreat detection categories. Each of the categories contains a set ofrules that define how threats to site traffic will be detected. Eachrule defines the directive or regular expression used to identify aspecific threat. Policies can be specified according to access controlsand global settings as some examples.

The threat detection categories of a rule set can include cross-sitescripting attacks, protocol violations, correlation, Trojans, tightsecurity, HTTP policy, protocol anomalies, request limits, commonexceptions, generic attacks, Structured Query Language (SQL) injectionattacks, and bad robots as some examples. The cross-site scriptingattack category specifies rules that detect the addition of anunauthorized client-side script to a site. The protocol violationscategory detects violations of the HTTP protocol, such as URL encodingabuse, missing/duplicate/conflicting headers, and invalid characters assome examples. The correlation category provides threshold based threatdetection. The Trojan category detects access to Trojans that havealready made their way into a server. The tight security categorydetects path traversal attacks whereby attackers attempt to gainunauthorized access to a private location on a server. The HTTP policycategory determines whether traffic matches the delivery profile definedby the global settings that define the Internet media type, HTTP methodsor protocols, file name extensions, and request headers. The protocolanomalies category detects protocol anomalies including empty or missingheader data. The request limits category determines whether traffic mustmatch the delivery profile defined by the global settings that definequery string and file size limitations. The generic attacks categorydetects common application security attacks including session fixationand Lightweight Directory Access Protocol (LDAP) injection attacks. TheSQL injection attacks category detects a variety of different methodsfor initiating an SQL attack. The bad robots category detects known badrobots.

Some embodiments provide predefined rule sets that the customer canadopt. An example of a predefined rule set is the Open Web ApplicationSecurity Project (OWASP) ModSecurity core rule set (CRS). The OWASP CRSprovides generic protection from unknown vulnerabilities often found inweb applications by inspecting HTTP data for malicious payloads. Thebenefit of adopting a predefined rule set is that whenever that rule setis updated, the customer WAF instance adopting the predefined rule setwill automatically receive the updated rules or policies. In thismanner, the customer can obtain protections from new attacks withouthaving to manually specify rules or policies to protect against the newattacks.

In some embodiments, customers can enable and disable individual rulesor threat detection categories of a rule set. In some embodiments,customers can modify various rules of predefined rule sets to customizethem for the particular customer's needs.

FIG. 5 illustrates an interactive interface 500 provided by the portalof some embodiments for enabling and disabling each threat detectioncategory from a rule set individually. The one or more rules associatedwith a threat detection category can also be enabled and disabledindividually. For example, selection of interface element 510 providesaccess to the interface of FIG. 6. FIG. 6 presents an interface 600 forenabling and disabling individual rules associated with thecross-scripting attack category in accordance with some embodiments.Some embodiments also allow customers to create their own proprietaryrule set or specify new rules using regular expressions or conditionalstatements.

The profile access controls identify IP addresses, countries, URLs, andreferrers to whitelist or blacklist. In other words, the access controlscan be used to identify safe inbound messages from malicious inboundmessages based on IP addressing (i.e., IPv4 or IPv6) of the requestor orsender of the inbound message, country from which a request or inboundmessage originates, matching URL fragment of the request or inboundmessage, or referrer. The whitelists identify safe or non-malicioustraffic, whereas the blacklists identify traffic that potentiallyharbors a malicious attack or traffic that should be restricted forother reasons.

FIG. 7 illustrates an interface 700 for specifying access controls inaccordance with some embodiments. The interface 700 includes whitelistand blacklist fields for specifying IP access controls 710, countryaccess controls 720, URL access controls 730, and referrer accesscontrols 740. The IP access control whitelist field 750 includes anaddress subnet that is considered a source of legitimate traffic and anytraffic sent from users in that subnet is allowed to pass through thedistributed platform's firewall protections. The IP access controlblacklist field 760 includes a specific IP address that is considered asource of illegitimate traffic and any traffic sent from a user withthat specific IP address will be screened according to an action that isconfigured for that policy.

The profile global settings define the properties for safe inboundmessages. Traffic that does not have the defined properties isconsidered to be unwanted traffic and should be screened according to anaction that is configured for the global settings. The global settingsdistinguish legitimate traffic from illegitimate traffic on the basis ofany one or more of a file name extension, file size, request header,HTTP method, HTTP version, Internet media type, and query string valuesor parameters. More specifically, traffic can be differentiated on thebasis of the file name extension of inbound requests and other inboundtraffic, a maximum file size, in bytes, for a POST request or formultiple combined messages, the name of the response header includedwith a response, an enumeration of approved and/or rejected HTTP methods(e.g., GET and POST), an enumeration of approved and/or rejected HTTPversions (e.g., HTTP/1.1), and an enumeration of approved and/orrejected Internet media types (e.g., image/png). Restrictions on themaximum number of characters for a query string value, maximum number ofparameters that a query string may contain, maximum number of charactersfor any single query string parameter value, or maximum number ofcharacters for any single query string parameter name can also be usedas global settings for differentiating between legitimate traffic andillegitimate traffic. FIG. 8 illustrates an interface 800 for specifyingglobal settings in accordance with some embodiments.

With reference back to process 400, the next step in defining a WAFinstance is the creation of (at 420) one or more profiles. Each profileis a grouping of some set of rules and policies. Accordingly, thecustomer selects or associates one or more of the defined rules, rulesets, access controls, and global settings as a profile. The same rulesand policies can be associated with different profiles. Each profile canbe named so that it can be easily associated or disassociated with thecustomer WAF instance. A profile therefore defines a collective set ofthreat detection measures that may define any of the properties forlegitimate traffic or illegitimate traffic.

In some embodiments, customers are provided granular control over howthe distributed platform servers apply the profiles and individual rulesor policies thereof. The granular control stems from the definition (at430) of conditions in connection with a profile or individual rules orpolicies. A condition defined in connection with a specific rulecontrols how a distributed platform server enforces the specific ruleagainst inbound traffic. Specifically, a condition defined in connectionwith a specific rule can cause a server to enforce the specific ruleagainst all inbound traffic or restrict enforcement of the specific ruleto traffic that is from a specific Autonomous System, origin, IPaddress, country, device type, or referring domain. Conditions can alsobe specified to restrict enforcement on the basis of certain cookies orcookie parameters, request method type, request scheme, URL pathdirectory, URL path extension, URL path filename, URL query string, andregular expressions in the header, URL path, and URL query string assome examples.

The customer WAF instance definition continues by enabling (at 440) oneprofile as a production profile and zero or one profile as an auditprofile. The profile selected as the production profile contains therules and policies that the distributed platform enforces to protect theparticular customer's assets across the distributed platform. Theprofile selected as the audit profile contains the rules and policiesthat the distributed platform will test alongside the productionprofile. As earlier noted, the distributed platform passes the sameinbound traffic that is secured using the production profile rules andpolicies to the rules and profiles of the audit profile. In this manner,the particular customer can test new rules and policies prior todeploying them as part of the production profile and can perform thetests without compromising existing security offered by the productionprofile.

The process then configures (at 450) actions that the distributedplatform invokes upon a violation of a rule or policy of either theselected production profile or the audit profile. The actions controlhow data that is found to violate the rules and policies of theproduction and audit profiles is handled. As previously noted, thespecified actions can include proactive and/or reactive actions. Aproactive action actively protects customer assets by blocking orrestricting data that is found to violate one or more of the definedrules and policies. A reactive action generates an alert or otherwiselogs a rule or policy violation. The production profile can be definedwith either proactive or reactive actions. Since the audit profilecompliments the production profile by providing the ability to testrules and policies alongside the production profile rules and policies,the audit profile is configured with one or more reactive actions. Thealerts can be configured to identify the specific rule or policy that isviolated and the data that caused the violation including variousidentifying information that can be extracted from the data (e.g., IPaddress of the sender, header parameters, etc.). In some embodiments,the same action or actions are implemented for all rule and policyviolations of a particular profile. In some other embodiments, users canspecify different actions for any one or more rules or policies (i.e.,access control or global setting) of a profile.

As noted above, once the particular WAF instance is defined, theparticular WAF instance is passed to the distributed platformconfiguration repository along with an identifier for the particularcustomer that created the WAF instance. The particular customer's WAFinstance is then incorporated as part of the operational configurationsof the distributed platform servers and used to update the firewallfunction of those servers in real-time. Specifically, the serversretrieve the updated operational configurations containing theparticular WAF instance from the repository and then update their ownoperation as per the updated operational configurations.

In addition to the proactive and reactive actions defined in thedifferent customer WAF instances, the distributed platform servers thatprovide the WAF functionality according to the different customer WAFinstances also perform a logging function. The logging function is usedto monitor the firewall function across the distributed platform as wellas facilitate firewall reporting and alerting. When a server encountersdata that violates a rule or policy of a customer WAF instance, theserver enters the violation to a local log with a set of identifyinginformation related to the violation.

The log entry includes one or more of the following fields: rulemessage, rule identifier, instance identifier, instance name, profiletype, country code, action type, client IP address, URL, referrer, useragent, rule tags, matched on, and matched value. The rule messageprovides a description of the rule or policy that was violated. The ruleidentifier indicates the identifier for the rule or policy that wasviolated. The instance identifier and name indicate the identifier andname for the instance that activated the profile containing the rule orpolicy that was violated. The profile type indicates whether theviolating data was screened using the production profile or auditprofile of a customer WAF instance. The country code identifies thecountry or region from which the violating data originates. The actiontype indicates the type of action that was taken in response to the ruleor policy violation. The client IP address identifies the IP address forthe client or user that originates the violating data. The URL is theURL of the violating data and the referrer indicates the data's referreras defined by the referrer request header field. The user agentindicates the user agent that submitted the violating data. The ruletags indicate whether a threat detection category, access control, orglobal setting was violated. The matched on indicates a variable thatidentifies where the violation was found and the matched value indicatesthe value that triggered the rule or policy violation.

The WAF SOC periodically compiles the various server logs. The WAF SOCthen processes the compiled logs in order to create customer reports.Each customer report details any and all violations of a particularcustomer WAF instance that occur anywhere across the distributedplatform. The WAF SOC provides an interface with which a customer canview the report for the performance of that customer's WAF instance.

FIG. 9 illustrates an exemplary interface 900 identifying a report forthe performance of a particular customer WAF instance. The interface 900illustrates the number of rule and policy violations of the particularcustomer WAF instance that occur across the distributed platform overtime. The interface 900 further identifies the most common violationsand the identifier for the rule that was most often violated. Customerscan drill-down to view detailed information about a specific violation.

Using the reports, customers can better understand how their assets areprotected throughout the distributed platform. Customers can then moreknowledgeably fine-tune their firewall configurations and specify oradjust rules and policies to stay ahead of new attacks or combatexisting threats. More specifically, customers can define and test newrules and policies using the audit profile without compromising theintegrity and protections offered by the rules and policies productionprofile. Should the audit profile rules and policies prove effectiveagainst new or previously undetected attacks, the customer can quicklyand easily incorporate those rules and policies from the audit profileinto the production profile, thereby causing the distributed platformservers to enforce those rules and policies when protecting thecustomer's assets from attack.

Many of the above-described processes and components are implemented assoftware processes that are specified as a set of instructions recordedon a non-transitory computer-readable storage medium (also referred toas computer-readable medium). When these instructions are executed byone or more computational element(s) (such as processors or othercomputational elements like ASICs and FPGAs), they cause thecomputational element(s) to perform the actions indicated in theinstructions. Server, computer, and computing machine are meant in theirbroadest sense, and can include any electronic device with a hardwareprocessor including cellular telephones, smartphones, portable digitalassistants, tablet devices, laptops, notebooks, desktop computers, andnetworked computers. Examples of computer-readable media include, butare not limited to, CD-ROMs, flash drives, RAM chips, hard drives,EPROMs, etc.

FIG. 10 illustrates a computer system or server with which someembodiments are implemented. Such a computer system includes varioustypes of computer-readable mediums and interfaces for various othertypes of computer-readable mediums that implement the various methodsand machines described above (e.g., distributed platform servers, WAFSOC, etc.). Computer system 1000 includes a bus 1005, a processor 1010,a system memory 1015, a read-only memory 1020, a permanent storagedevice 1025, input devices 1030, and output devices 1035.

The bus 1005 collectively represents all system, peripheral, and chipsetbuses that communicatively connect the numerous internal devices of thecomputer system 1000. For instance, the bus 1005 communicativelyconnects the processor 1010 with the read-only memory 1020, the systemmemory 1015, and the permanent storage device 1025. From these variousmemory units, the processor 1010 retrieves instructions to execute anddata to process in order to execute the processes of the embodimentsdescribed above. The processor 1010 is a processing device such as acentral processing unit, integrated circuit, graphical processing unit,etc.

The read-only-memory (ROM) 1020 stores static data and instructions thatare needed by the processor 1010 and other modules of the computersystem. The permanent storage device 1025, on the other hand, is aread-and-write memory device. This device is a non-volatile memory unitthat stores instructions and data even when the computer system 1000 isoff. Some embodiments use a mass-storage device (such as a magnetic,solid-state disk, or optical disk and its corresponding disk drive) asthe permanent storage device 1025.

Other embodiments use a removable storage device (such as a flash driveor solid-state disk) as the permanent storage device. Like the permanentstorage device 1025, the system memory 1015 is a read-and-write memorydevice. However, unlike storage device 1025, the system memory is avolatile read-and-write memory, such as random access memory (RAM). Thesystem memory stores some of the instructions and data that theprocessor needs at runtime. In some embodiments, the processes arestored in the system memory 1015, the permanent storage device 1025,and/or the read-only memory 1020.

The bus 1005 also connects to the input and output devices 1030 and1035. The input devices enable the user to communicate information andselect commands to the computer system. The input devices 1030 includealphanumeric keypads (including physical keyboards and touchscreenkeyboards), pointing devices (also called “cursor control devices”). Theinput devices 1030 also include audio input devices (e.g., microphones,MIDI musical instruments, etc.). The output devices 1035 display imagesgenerated by the computer system. The output devices include printersand display devices, such as liquid crystal displays (LCD).

Finally, as shown in FIG. 10, bus 1005 also couples computer 1000 to anetwork 1065 through a network adapter (not shown). In this manner, thecomputer can be a part of a network of computers (such as a local areanetwork (“LAN”), a wide area network (“WAN”), or an Intranet, or anetwork of networks, such as the Internet.

As mentioned above, the computer system 1000 may include one or more ofa variety of different computer-readable media. Some examples of suchcomputer-readable media include RAM, ROM, compact discs (CD-ROM),digital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a varietyof recordable/rewritable DVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.),flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.),magnetic and/or solid state hard drives, read-only and recordableblu-ray discs, and any other optical or magnetic media.

In the preceding specification, various preferred embodiments have beendescribed with reference to the accompanying drawings. It will, however,be evident that various modifications and changes may be made thereto,and additional embodiments may be implemented, without departing fromthe broader scope of the invention as set forth in the claims thatfollow. The specification and drawings are accordingly to be regarded inan illustrative rather than restrictive sense.

We claim:
 1. A method comprising: receiving an inbound messagecomprising a Uniform Resource Locator (URL) directed to a particularcontent provider from a plurality of content providers under protectionsof a firewall; selecting at said firewall, a particular firewallconfiguration defined by the particular content provider from aplurality of firewall configurations defined by the plurality of contentproviders based on said URL directed to the particular content provider;configuring active attack protections at the firewall based on a firstset of firewall protections of the particular firewall configurationdefined by the particular content provider and attack protections undertest at the firewall based on a different second set of firewallprotections of the particular firewall configuration defined by theparticular content provider; replicating the inbound message, whereinsaid replicating produces at the firewall a first copy and a second copyof the inbound message; protecting the particular content provider fromattacks in the inbound message violating the first set of firewallprotections set as the active attack protections while contemporaneouslytesting the second set of firewall protections set as the attackprotections under test against the second copy of the inbound messageresulting from said replicating; and swapping the active attackprotections with the attack protections under test in response to inputfrom the particular content provider, wherein said swapping comprisesprotecting the particular content provider from attacks in subsequentmessaging violating the second set of firewall protections set as theactive attack protections while contemporaneously testing the first setof firewall protections set as the attack protections under test againstcopies of said subsequent messaging.
 2. The method of claim 1 furthercomprising alerting the particular content provider of a first attack inthe inbound message without blocking said inbound message as a result ofthe first attack violating at least one firewall protection of thesecond set of firewall protections set as the attack protections undertest and not violating any firewall protection of the first set offirewall protections set as the active attack protections.
 3. The methodof claim 2 further comprising blocking the inbound message at thefirewall as a result of a second attack in the first copy of the inboundmessage violating at least one firewall protection of the first set offirewall protections set as the active attack protections.
 4. The methodof claim 1 further comprising reconfiguring the firewall according to athird set of firewall protections defined by a different second contentprovider in response to a second inbound message comprising a differentURL directed to a different second content provider of the plurality ofcontent providers under protections of the firewall.
 5. The method ofclaim 1 further comprising serving content of the particular contentprovider through the firewall in response to the inbound messageomitting an attack protected against by the first set of firewallprotections.
 6. The method of claim 1, wherein said swapping comprisesreconfiguring the firewall with the second set of firewall protectionsset as the active attack protections and the first set of firewallprotections set as the attack protections under test.
 7. The method ofclaim 1, wherein configuring the firewall comprises configuring aplurality of servers of a content delivery network (CDN) at differentgeographic points-of-present (PoPs) of the CDN with the first and secondsets of firewall protections in response to receiving said inboundmessage at each of the different PoPs.
 8. The method of claim 7 furthercomprising propagating the first and second set of firewall protectionsacross the different PoPs of the CDNs in response to an update to ordefinition of the first and second sets of firewall protections by theparticular content provider.
 9. The method of claim 8, wherein saidpropagating comprises receiving the first and second sets of firewallprotections from the particular content provider at a securityoperations center of the CDN in advance of said propagating.
 10. Amethod for customizing firewall protections based on implicated contentprovider content, the method comprising: receiving at a particularserver, a first request comprising a first Uniform Resource Locator(URL), the first URL comprising a link to content of a first contentprovider; reconfiguring the particular server with a first set offirewall protections associated with the first URL; protecting the firstcontent provider at the particular server from a first attack embeddedin the first request using the first set of firewall protections;receiving at the particular server, a second request comprising a secondURL, the second URL comprising a link to content of a second contentprovider; reconfiguring the particular server from the first set offirewall protections to a second set of firewall protections associatedwith the second URL in response to receiving the second URL, wherein thefirst set of firewall protections are defined by the first contentprovider and the second set of firewall protections are defined by thesecond content provider; protecting the second content provider at theparticular server from a different second attack embedded in the secondrequest using the second set of firewall protections; detecting at theparticular server, a new attack affecting the plurality of contentproviders; and modifying the first and second sets of firewallprotections in response to said detecting, wherein said modifyingcomprises inserting a new firewall protection protecting against the newattack in each of the first and second sets of firewall protections ofthe first and second content providers without action by the first andsecond content providers, wherein said modifying automatically enforcesthe new firewall protection as part of said protecting the first contentprovider and as part of said protecting the second content provider. 11.The method of claim 10 further comprising receiving at the particularserver, a plurality of different sets of firewall protections from aplurality of content providers, wherein the plurality of different setsof firewall protections comprises the first and second sets of firewallprotections.
 12. The method of claim 11 further comprising linking eachset of firewall protections from the plurality of different sets offirewall protections with a different URL associated with requesting acontent or service from different content providers of the plurality ofcontent providers.
 13. The method of claim 12 further comprisingcustomizing the plurality of different sets of firewall protectionsbased on new rules or policies defined by the plurality of contentproviders.
 14. The method of claim 10 further comprising serving thecontent of the first content provider from the particular server inresponse to a third request that does not violate the first set offirewall protections and serving the content of the second contentprovider from the particular server in response to a fourth request thatdoes not violate the second set of firewall protections.
 15. The methodof claim 10, wherein protecting the first content provider comprisesblocking a first set of requests harboring a first set of attacksdetected by the first set of firewall protections at the particularserver and permitting a second set of requests harboring at least oneattack detected by the second set of firewall protections and not by thefirst set of firewall protections, and wherein the first and second setsof requests are directed to content of the first content provider.
 16. Amethod comprising: propagating a plurality of firewall configurationsacross a plurality of content delivery servers, each firewallconfiguration of the plurality of firewall configurations comprising adifferent set of rules and policies protecting content of a differentcontent provider; receiving an inbound message directed to a particularcontent provider at a particular content delivery server of theplurality of content delivery servers; screening the inbound message atthe particular content delivery server against an active profile of aparticular firewall configuration from the plurality of firewallconfigurations based on an identifier within the inbound messageidentifying the particular content provider while simultaneously testingthe inbound message against a test profile of the particular firewallconfiguration, wherein the particular firewall configuration is definedby the particular content provider; providing a response to said inboundmessage as a result of said inbound message passing the set of rules andpolicies of the active profile of the particular firewall configurationduring said screening, wherein providing the response comprises passingcontent of the particular content provider from the particular contentdelivery server to a client submitting said inbound message, and whereinproviding the response further comprises alerting the particular contentprovider in response to said inbound message violating at least one of aset of rules and polices of the test profile of the particular firewallconfiguration; and blocking the inbound message at the particularcontent delivery server in response to said inbound message violating atleast one of the set of rules and policies of the active profile of theparticular configuration during said screening.
 17. The method of claim16 further comprising detecting a new attack impacting a plurality ofcontent providers.
 18. The method of claim 17 further comprisinginserting a new rule or policy protecting against said new attack ineach firewall configuration of the plurality of content providers fromthe plurality of firewall configurations, wherein said insertingcomprises propagating updated firewall configurations across theplurality of content delivery servers.
 19. The method of claim 16,wherein the particular firewall configuration comprises a first set ofrules and policies actively protecting content of the particular contentprovider and a different second test set of rules and policies, andwherein providing the response comprises alerting the particular contentprovider in response to the inbound message violating a rule or policyfrom the second test set of rules and policies while passing the firstset of rules and policies of the particular firewall configuration.